The vulnerability identified as CVE-2026-32953 affects the tillitis tkeyclient Go package, specifically versions 1.2.0 and earlier. The tkeyclient module implements a TKey client that relies on User Supplied Secrets (USS) to generate a Compound Device Identifier (CDI), which is critical for key material derivation and authentication. Due to a buffer index error in the code, the boolean flag indicating whether a USS is enabled is overwritten by the first byte of the USS digest. Consequently, if the hash of the USS begins with the byte 0x00, the USS is silently ignored, causing the system to generate the same CDI as if no USS was supplied. This results in a collision where different USS inputs produce identical key material, undermining the authentication mechanism's integrity. The flaw is subtle and probabilistic, affecting approximately 1 out of every 256 USS inputs. The vulnerability does not require any privileges or user interaction to be triggered, but exploitation depends on the USS hash starting with zero. The issue has been addressed in version 1.3.0 of the tkeyclient package. Until upgrading is feasible, users are advised to avoid USS values whose hash begins with 0x00 to mitigate the risk. No public exploits have been reported, and the CVSS 4.7 score reflects a medium severity with partial impact on confidentiality, integrity, and availability, and a requirement for local access (AV:P).

This vulnerability can lead to key collisions where distinct User Supplied Secrets produce identical Compound Device Identifiers and key material. For organizations relying on tillitis tkeyclient for secure authentication and key derivation, this undermines the integrity of the authentication process and could allow unauthorized access or key reuse scenarios. The silent nature of the flaw means it may go unnoticed, potentially weakening security guarantees without detection. However, the impact is limited by the low probability (approximately 0.39%) of a USS hash starting with 0x00 and the requirement for local or network access to exploit. Systems that depend heavily on unique USS values for device identity or cryptographic operations may face increased risk of impersonation or key compromise. The vulnerability does not appear to affect availability directly but could degrade trust in cryptographic operations and authentication workflows. Since no known exploits are reported, the immediate risk is moderate, but organizations should prioritize patching to prevent future exploitation.

The primary mitigation is to upgrade the tillitis tkeyclient package to version 1.3.0 or later, where the buffer index error has been corrected. For organizations unable to upgrade immediately, a practical workaround is to ensure that User Supplied Secrets produce hashes that do not start with the byte 0x00. This can be achieved by pre-screening USS inputs or applying a transformation to avoid zero-leading hashes. Additionally, implement monitoring to detect unexpected key collisions or authentication anomalies that may indicate exploitation attempts. Review and audit cryptographic key derivation processes to ensure no other similar logic errors exist. Incorporate secure coding practices and fuzz testing in development to catch buffer and index errors early. Finally, maintain an inventory of systems using the vulnerable tkeyclient versions and prioritize patch deployment in environments with high security requirements.